Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

generic.dx, backdoor-awq, mws, trojan.vbkrypt, backdoor.bot - browser redirects on searches


  • This topic is locked This topic is locked
3 replies to this topic

#1 heedthewarning

heedthewarning

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 20 December 2009 - 05:11 PM

IE, Chrome and Firefox all experience the same symptoms. I type in nearly any search into the address bar, or in Google, it comes up with genuine search options in Google's page, I click on a link in the search, then it sends me to a not-legitimate page, or through a link to a different page (as if I clicked on an affiliate link).

Avast did not detect it at all; used Ad Aware to scan and remove, and it only detected 3 adtd cookies. Malwarebytes detected Trojan.VBKrypt and Backdoor,Bot and removed them, which temporarily (I mean 2-3 searches at most) stopped the issue. Uninstalled Avast and installed McAfee Total Protection Service which detected Generic.dx!iqs, Generic.dx, BackDoor-AWQ, Generic.dx!gic, and MWS. All removed, but as you can guess, the issue still persists.

Attached is the Attach.txt file.

Attached is a few files of RootRepeal crash logs. RootRepeal has a ton of errors causing me to not be able to scan or collect a log of any kind. Errors include 'FOPS - DeviceIoControl Error ! Error Code = 0xc0000024 Extended Info (oxoooooodc)', and when I attempt to scan, error 'DeviceIoControl Error ! Error Code = 0x0' appears. I'm guessing it might be because I'm using Windows 7...

Please advise on possible tasks and solutions. Thanks.



The following is my DDS.txt log file:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Mike Faria at 14:34:34.42 on 20/12/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.3326.1171 [GMT -7:00]

FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Speech\Common\sapisvr.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Users\Mike Faria\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Windows\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\StikyNot.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Mike Faria\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mike Faria\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mike Faria\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mike Faria\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mike Faria\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Users\Mike Faria\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mike Faria\Documents\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
uRun: [Google Update] "c:\users\mike faria\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Windows Live Sync] "c:\program files\windows live\sync\WindowsLiveSync.exe" /background
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe"
StartupFolder: c:\users\mikefa~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\mike faria\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\mikefa~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\softph~1.lnk - c:\program files\primus\softphone\SoftPhone.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
Trusted Zone: siteadvisor.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.648.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mikefa~1\appdata\roaming\mozilla\firefox\profiles\d39ppj6w.default\
FF - component: c:\program files\mcafee\siteadvisor enterprise\components\McFFPlg.dll
FF - component: c:\users\mike faria\appdata\roaming\mozilla\firefox\profiles\d39ppj6w.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - plugin: c:\users\mike faria\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-13 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-12-17 214664]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2009-12-17 14144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1184912]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-11-28 47640]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-8-7 222528]
R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2009-12-17 144704]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2009-12-17 280576]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-12-17 79816]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-12-17 35272]
R3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-12-17 34248]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-8-28 17408]
R3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\drivers\P1130Vid.sys [2004-5-4 90229]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-12-1 119296]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-28 138680]
RUnknown aswFsBlk;aswFsBlk; [x]
RUnknown aswMonFlt;aswMonFlt; [x]
RUnknown aswSP;aswSP; [x]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2009-12-20 21:08:12 0 d-----w- c:\program files\TrendMicro
2009-12-17 18:17:20 8393 ----a-w- c:\windows\system32\Config.MPF
2009-12-17 18:17:11 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-17 18:17:10 0 d-----w- c:\program files\common files\McAfee
2009-12-17 18:15:01 55304 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-12-17 18:14:58 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-17 18:14:58 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-17 18:14:58 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-17 18:14:58 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-17 18:13:54 0 d-----w- c:\users\mikefa~1\appdata\roaming\McAfee
2009-12-17 18:08:01 0 d-----w- c:\program files\McAfee
2009-12-17 18:07:55 0 d-----w- c:\programdata\McAfee
2009-12-17 06:08:20 65536 --sha-w- c:\users\mike faria\ntuser.dat{e11df0ea-ead1-11de-8c39-0019d11265c0}.TM.blf
2009-12-17 06:08:20 524288 --sha-w- c:\users\mike faria\ntuser.dat{e11df0ea-ead1-11de-8c39-0019d11265c0}.TMContainer00000000000000000002.regtrans-ms
2009-12-17 06:08:20 524288 --sha-w- c:\users\mike faria\ntuser.dat{e11df0ea-ead1-11de-8c39-0019d11265c0}.TMContainer00000000000000000001.regtrans-ms
2009-12-15 21:55:06 0 d-----w- c:\users\mikefa~1\appdata\roaming\Malwarebytes
2009-12-15 21:55:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 21:55:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 21:55:00 0 d-----w- c:\programdata\Malwarebytes
2009-12-15 21:55:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 18:31:32 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-12-15 18:31:30 0 d-----w- c:\windows\system32\QuickTime
2009-12-15 18:31:20 0 d-----w- c:\programdata\TechSmith
2009-12-15 18:31:08 0 d-----w- c:\program files\common files\TechSmith Shared
2009-12-14 18:30:00 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-12-14 18:25:53 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-12-14 18:24:50 0 d-----w- c:\programdata\Microsoft Help
2009-12-14 08:10:04 0 d-----w- c:\program files\honestech Video Editor 8.0
2009-12-14 08:09:58 0 d-----w- c:\program files\honestech
2009-12-14 08:09:53 0 d-----w- C:\Device
2009-12-14 05:20:45 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-14 04:41:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-14 04:40:14 0 dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-14 04:39:53 0 d-----w- c:\programdata\Lavasoft
2009-12-14 04:39:53 0 d-----w- c:\program files\Lavasoft
2009-12-14 03:23:34 0 d-----w- c:\program files\Lavalys
2009-12-13 18:47:26 0 d-----w- c:\program files\QuickPar
2009-12-11 23:58:52 0 d-----w- c:\users\mikefa~1\appdata\roaming\Broad Intelligence
2009-12-11 23:58:15 0 d-----w- c:\program files\MediaCoder
2009-12-11 23:25:24 0 d-----w- c:\program files\common files\SWF Studio
2009-12-11 23:25:12 0 d-----w- c:\program files\Riva
2009-12-11 23:21:29 0 d-----w- c:\program files\iPhone Folders
2009-12-11 23:18:38 0 d-----w- c:\program files\iPhoneBrowser
2009-12-11 17:47:45 0 d-----w- c:\users\mikefa~1\appdata\roaming\iCloner
2009-12-11 02:42:15 0 d-----r- C:\Sandbox
2009-12-11 02:40:55 1996 ----a-w- c:\windows\Sandboxie.ini
2009-12-11 02:40:26 0 d-----w- c:\program files\Sandboxie
2009-12-11 01:35:51 0 d-----w- c:\program files\Conduit
2009-12-11 01:35:15 0 d-----w- c:\windows\Freecorder
2009-12-11 01:35:15 0 d-----w- c:\program files\Freecorder
2009-12-09 10:00:44 0 d-----w- c:\program files\MSXML 4.0
2009-12-09 01:34:32 0 d-----w- c:\users\mikefa~1\appdata\roaming\Sam Francke
2009-12-09 01:34:29 0 d-----w- c:\program files\CSVed
2009-12-08 22:00:14 0 d-----w- c:\users\mikefa~1\appdata\roaming\SoftPhone
2009-12-08 21:55:23 0 d-----w- c:\program files\Primus
2009-12-07 19:45:11 4767 ----a-w- c:\windows\Irremote.ini
2009-12-07 19:36:01 0 d-----w- c:\program files\Nero
2009-12-07 19:35:44 0 d-----w- c:\programdata\Nero
2009-12-07 19:21:39 0 d-----w- c:\windows\Nero Ultra Edition
2009-12-07 03:27:06 0 d--h--w- C:\WindowsLiveSyncTemp
2009-12-05 06:06:53 0 d-----w- c:\programdata\FLEXnet
2009-12-05 05:57:07 0 d-----w- c:\programdata\ALM
2009-12-05 05:54:01 0 d-----w- c:\program files\common files\PX Storage Engine
2009-12-05 05:45:13 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-12-05 04:27:34 0 d-----w- c:\program files\common files\Macrovision Shared
2009-12-04 08:28:02 65536 --sha-w- c:\users\mike faria\ntuser.dat{af0c3472-e0ae-11de-93a9-0019d11265c0}.TM.blf
2009-12-04 08:28:02 524288 --sha-w- c:\users\mike faria\ntuser.dat{af0c3472-e0ae-11de-93a9-0019d11265c0}.TMContainer00000000000000000002.regtrans-ms
2009-12-04 08:28:02 524288 --sha-w- c:\users\mike faria\ntuser.dat{af0c3472-e0ae-11de-93a9-0019d11265c0}.TMContainer00000000000000000001.regtrans-ms
2009-12-03 06:31:08 0 d-----w- c:\program files\Lexmark_HostCD
2009-12-03 06:25:39 86016 ----a-w- c:\windows\system32\STRDEVAPI.dll
2009-12-03 06:25:39 73728 ----a-w- c:\windows\system32\VNUSB.dll
2009-12-03 06:25:39 73728 ----a-w- c:\windows\system32\DW90USB.DLL
2009-12-03 06:25:39 53248 ----a-w- c:\windows\system32\OdiAPI.dll
2009-12-03 06:25:39 39096 ----a-w- c:\windows\system32\drivers\DW90USB.SYS
2009-12-03 06:25:39 38496 ----a-w- c:\windows\system32\drivers\VNUSB.sys
2009-12-03 06:25:39 114688 ----a-w- c:\windows\system32\OdiOlDVR.dll
2009-12-03 06:25:25 0 d-----w- c:\program files\Olympus
2009-12-01 10:00:37 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-12-01 10:00:11 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-30 04:28:14 0 d-----w- c:\users\mike faria\Tracing
2009-11-30 03:53:03 0 d-----w- c:\program files\Microsoft
2009-11-30 03:52:42 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-30 03:52:12 0 d-----w- c:\windows\PCHEALTH
2009-11-30 03:49:35 0 d-----w- c:\program files\common files\Windows Live
2009-11-29 17:21:13 0 d-----w- c:\users\mikefa~1\appdata\roaming\OpenOffice.org
2009-11-29 17:19:45 0 d-----w- c:\program files\JRE
2009-11-29 17:19:39 0 d-----w- c:\program files\OpenOffice.org 3
2009-11-29 17:19:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-29 16:40:03 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-11-29 16:39:53 0 d-----w- C:\Intel
2009-11-29 10:01:23 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-11-29 10:01:20 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-11-29 10:01:20 2613248 ----a-w- c:\windows\explorer.exe
2009-11-29 10:01:20 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-11-29 10:01:19 71168 ----a-w- c:\windows\system32\fontsub.dll
2009-11-29 10:01:19 507568 ----a-w- c:\windows\system32\winload.exe
2009-11-29 10:01:19 442920 ----a-w- c:\windows\system32\winresume.exe
2009-11-29 10:01:19 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-11-29 10:01:19 108544 ----a-w- c:\windows\system32\t2embed.dll
2009-11-29 10:01:18 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-28 22:39:09 0 d-----w- c:\program files\Elaborate Bytes
2009-11-28 22:34:37 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-28 22:34:37 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-28 22:34:19 0 d-----w- c:\program files\iPod
2009-11-28 22:34:18 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-28 22:34:18 0 d-----w- c:\program files\iTunes
2009-11-28 22:33:39 0 d-----w- c:\program files\Bonjour
2009-11-28 22:33:23 0 d-----w- c:\programdata\Apple Computer
2009-11-28 22:33:07 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf
2009-11-28 22:32:38 0 d-----w- c:\program files\WindSolutions
2009-11-28 22:32:27 0 d-----w- c:\users\mikefa~1\appdata\roaming\WindSolutions
2009-11-28 22:32:27 0 d-----w- c:\programdata\WindSolutions
2009-11-28 22:32:20 0 d-----w- c:\programdata\Apple
2009-11-28 21:59:22 0 d-----w- c:\users\mikefa~1\appdata\roaming\Dropbox
2009-11-28 21:51:03 839680 ----a-w- c:\windows\system32\lameACM.acm
2009-11-28 21:51:03 414 ----a-w- c:\windows\system32\lame_acm.xml
2009-11-28 21:51:03 38 ----a-w- c:\windows\avisplitter.ini
2009-11-28 21:51:02 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-11-28 21:51:02 118784 ----a-w- c:\windows\system32\ac3acm.acm
2009-11-28 21:51:01 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-28 21:51:01 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2009-11-28 21:51:00 0 d-----w- c:\program files\K-Lite Codec Pack
2009-11-28 21:21:49 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-11-28 21:21:49 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-11-28 21:21:49 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-11-28 21:03:55 0 d-----w- c:\programdata\Adobe
2009-11-28 20:59:52 0 d-----w- c:\program files\MozBackup
2009-11-28 20:56:53 0 d-----w- c:\program files\NewsBin
2009-11-28 20:55:32 0 d-----w- c:\programdata\LogMeIn
2009-11-28 20:55:30 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-28 20:55:30 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-11-28 20:55:30 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-28 20:55:28 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-28 20:55:26 1024 ----a-w- C:\.rnd
2009-11-28 20:55:22 0 d-----w- c:\program files\LogMeIn
2009-11-28 20:54:25 0 d-sh--w- c:\windows\Installer
2009-11-28 20:54:14 0 d-----w- c:\program files\XviD
2009-11-28 20:54:09 0 d-----w- c:\program files\AviSynth 2.5
2009-11-28 20:53:41 0 d-----w- c:\program files\AutoGK
2009-11-28 20:51:19 0 d-----w- c:\users\mikefa~1\appdata\roaming\BitTorrent
2009-11-28 20:51:12 0 d-----w- c:\program files\BitTorrent
2009-11-28 20:50:31 0 d-----w- c:\windows\Ask & Record Toolbar
2009-11-28 20:50:31 0 d-----w- c:\program files\Ask & Record Toolbar
2009-11-28 20:44:35 0 d-----w- c:\programdata\DVD Shrink
2009-11-28 20:44:35 0 d-----w- c:\program files\DVD Shrink
2009-11-28 20:39:24 0 d-----w- c:\program files\DVD Decrypter
2009-11-28 19:01:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-28 18:55:33 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-28 18:53:19 0 d-----w- c:\windows\Panther
2009-11-28 18:53:07 8192 --sha-r- C:\BOOTSECT.BAK
2009-11-28 18:53:06 383562 --sha-r- C:\bootmgr
2009-11-28 18:53:05 0 d-sh--w- C:\Boot
2009-11-28 18:42:27 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-11-28 18:42:09 0 d-----w- c:\windows\system32\wbem\Performance
2009-11-28 18:34:55 171136 --sha-r- C:\w7ldr
2009-11-28 18:33:58 0 d-sh--w- C:\Recovery
2009-11-28 15:56:56 0 ----a-w- c:\windows\system32\atiicdxx.dat
2009-11-28 15:56:55 0 ----a-w- c:\windows\ativpsrm.bin
2009-11-28 15:56:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf

==================== Find3M ====================

2009-12-17 11:55:19 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 14:35:45.94 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 heedthewarning

heedthewarning
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 22 December 2009 - 05:18 PM

UPDATE - A day later, McAfee Total Protection Service detects Hiloti.gen in svchost.exe. All of these files pop up in c:\Windows\TEMP\filename.tmp\svchost.exe.

Hundreds pop up, all throughout the day whether or not I am here. I left my PC on and came back to over 200 to delete.

Anyways, I did a bunch of searching on Google and BC, on a different PC since this one sends me to illegitimate sites to buy their program... Result = no one has an answer. It seems every forum I go to, people are instructed to run scan x with x program, then run scan y with y program, etc. with the post unending, full of log files and no solutions.

I'm still holding out hope :(


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 29 December 2009 - 04:51 AM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:40 AM

Posted 03 January 2010 - 06:07 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:40 AM

Posted 09 January 2010 - 08:02 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users